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ONLINE TRAINING 


Security for Emerging Technology: Social Networking Sites 





Launch Training 


(U) This training steps you through the emerging risks posed by evolving technologies as it applies to social networking sites. Learn 
best practices for maintaining security, preventing security incidents, and recovering from a security incident. 


NROU SCHOOL 





(U} By the end of this training, you will be able to: School of Security 


Define the term, social networking site 
Identify the risk 

Identify the security best practices 
Identify appropriate incident responses 
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WHO SHOULD — Recommended for anyone who uses social networking sites, or has family or friends that use social networking COURSE PROVIDER 
ATTEND: sites. Office of Security and 
cc diccteawenhAGaty | dcevtassceduceect Ann eke Dicom aaa an Cte og A tn A Oe ee ES cite Oi nae aE ee Counterintelligence 
REGISTRATION: ig (b)(3) 
REFERENCE i 
MATERIALS: : 
c=) Miew. ji 
NONE 





COURSE DETAILS: # (U) Overall Course Classification: TNCIADSIFTED FOr OF PTC IRE OSE ONE 
# (U) Delivery Method: Web-based Training 
@ = (U) Duration: 10 minutes 
# (U) Minimum System Requirements: Internet Explorer 7 and Flash Player 10+ 
DELIVERY: Computer Based / Web-Based 
COURSE LENGTH: (¢) 
CLASSIFICATION: UNCLASSIFIED 


For IT support, email NROU webmasters 
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Introduction 


(U) Security for Emerging Technology | Social Networking Sites 


(U) Welcome to Social Networking Sites, part of our Security for Emerging Technology 
curriculum. 


(U) Join us on a walk-through of the emerging risks posed by evolving technologies. Learn 
best practices for maintaining security, preventing security incidents and recovering from a 
security incident. 


(U) Objectives 
(U) By the end of this topic, you will be able to: 


® Define the term 

® Identify the risk 

e Identify security best practices 

e Identify appropriate incident responses 


(U) We recommend you take the pre-test before beginning the topic. If you can answer 80% 
of the questions correctly, you will receive credit for this topic. 





Body 





(U) Vignette 
(U) Disclaimer: The Onion News Network is not a real news network. It is a satire site. 
(U) What Are They? 


(U) Social Networking Sites are designed to encourage making connections and sharing 
information. 


(U)Any Online service, platform or site that allows users to post information on a personal 
profile and network with others via a list of contacts can be considered a Social Networking 
Site. They include blogs, microblogs, photo and video sharing sites, collaborative wiki’s and 
more. 


(U) What is the Risk? 
(U) Careless participation could: 
® Reveal sensitive information 
® Compromise sensitive operations 
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e® Set up self or others for further targeting 
® Infect system with malware 
® Enable identity theft 


(U) Examples 
(U) Click an example from the list on the left to view additional information. 


(U) OPSEC Violation (Facebook) 
(U) Always consider wheat a malicious actor can do with the information von’re sharino 
(U/ 
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(U) How useful would his photos be to someone planning an attack? 


(U) OPSEC Violation (Facebook) 
(U) Not only do you need to practice OPSEC, you need to watch your network. 


(U/FOR@LIn December 2011, an F-15E squadron out of Europe received orders for a short- 
notice, out-of-cycle deployment to Afghanistan. All December leave was cancelled to prepare 
for deployment. 


(U) An adversary, following the social network connections, can now learn the deployment 
details. 


(U) Spear-Phishing (LinkedIn) 
(U) Like email, you must be alert when using Social Networking Sites for phishing, malware 


and other online scams. Graphic: 
network 


(U) Spear-phishing is a kind of social engineering trick aimed at a specific victim. 
(U) A spear-phishing message might include not only your name but other specific 
information (mentions of friends by name, organizational references) that helps personalize it 


and make it believable. Spear-phishers can draw this information from social networks. 


(U) Phishing (Facebook) Graphic: 
(U) This post went up mere hours after the death of Apple co-founder Steve Jobs. phishing email 


(U) In six hours, over 15,000 users had clicked the link and been sent to websites to fill out 
surveys or sign up for free offers. 


(U) Every click generated paid affiliate fees for the scammers. 
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(U) Privacy Loophole (Skype) 

(U) Use your privacy and security settings, but don’t rely on them — even the most restrictive 
privacy controls can’t protect against loopholes or security flaws in the service. 

Graphic: RIP 
(U) Researchers found a vulnerability in Skype, a popular service for video chat over the Steve Jobs 
internet, which can expose your location, identity, and the content you’re downloading. 
Graphic: bitly 
(U) Skype tracks user’s location over time and any peer-to-peer file sharing activity. Acaller | count 

using a VoIP (Voice over IP) system can ibtain the recipient’s IP address when establishing 
the call. They can then user commercial geo-IP mapping services to determine the other user’s 
location and Internet Service Provider (ISP). 





(U) They also found it was possible to obtain the user’s IP address without alerting them to 
the call attempt, without being on their contact list, and even if the user had explicitly 
configured Skype to block calls from non-contacts. 





(U) Identity Theft (Mock Site) 
(U) What information is risky? Mouse-over areas to view the danger. 


(U) What Can I Do? 
(U) Know your exposure — different sites are designed to share information in different ways. 
® Know where your information is 
e Know who and what can access it 


(U) Monitor your online identity. 
® Just because you aren’t posting, doesn’t mean other aren’t posting about you. 
Graphic: mock 
(U) When browsing: site (with 
® Be wary of links and online scams. rollovers) 


(U) Always logout and close the browser window when finished. 
e Social Networking Sites can collect information on you when you visit other sites 
while logged in to their site. 
® Closing only the page tab will not log you out; you must close the window. 


(U) What Can I Do? 
(U) When creating a profile: 
e® Limit personal or identifying information on your profile. Most fields are not 
required. 
® Use unique password and change it regularly. A password manager can help manage 
accounts — or you can write them down. 
e Set your privacy settings and review them regularly. When a site updates or changes 
features, it can reset your settings to the default, which is usually “public or “opt-out”. 
® Don’t friend anyone you don’t know. 
o Verify identity through outside channels. Just as you can enter false 
information in your profile, so can other people. 
(U) Applications: 
® Restrict which applications can access your profile and what data they can access. 
Don’t hesitate to refuse an application if it wants more access than you’re comfortable 
with. 


(U) What Can I Do? 
(U) Before posting ask yourself: 
@ Why are you sharing this? 
@ Who will be able to see it? 
@ What metadata will be associated with it? 
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e What will people do with the information? Graphic: 

e What can be learned from it if aggregated with other information? failbook 

e How will this information be transmitted and stored? 

® How can I delete it if 1 change my mind? 

(U) When posting: 

® Sanitize sensitive, critical, and personal information about you, your fellow Rollover: 
coworkers, family and friends. Error! Nota 

® Use filters to restrict who can see your posts. valid bookmark 

® Even with filters, never put anything online you wouldn’t feel comfortable with the self-reference. 
whole Internet seeing. 

e Never provide passwords, credit card information, or money to someone via SNS. 

(U) No One’s Perfect 


(U) If you see something posted to a Social Networking Site that you believe violates OPSEC: 
® Do NOT comment on the site. 
® Report it to your cognizant Security Officer. 





(U) If you need to delete information or a post: 
© Delete it immediately. 
e If the information was classified, report it to your cognizant Security Officer. 
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U tion 1 Graphic: 
(0) Question Photos of credit 
(U) Question 2 cards 


(U) Question 3 Graphic: posted 
(U) Question 4 _ 
(U) Question 5 
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Conclusion 


(U) Congratulations! 


(U) You have completed the SET: Social Networking Sites lesson. You may print your certificate or 
exit the course now. 




















Questions 
(U) Pretest 
(U) Directions: Evaluate the following statements about Social Networking Sites as TRUE for 
FALSE. Click done to submit your answer. 
(U) Social Networking Sites encourage building social networks and haring information. (U) Programs 
A” tne te can be opt-in or 
B. False opt-out. 
(U) You must fill in all profile information when creating an account. © Opt-in: 
A. True you are 
B. False ** not 
(U) Profile information is always true. enrolled 
A. True but have 
B. False** the 
(U) Most Social Networking Sites are “opt-in” as their default. option to 
A. True join in. 
B. False ** Opt-out: 
(U) Once set, security and privacy settings never need to be revisited. you are 
A. True automati 
B. False ** cally 
(U) It’s ok to post anything that’s UNCLASSIFIED. enrolled 
A. Ture and have 
B. False ** the 
(U) You should not have an expectation of privacy when using a Social Networking Site. option to 
A. True ** be taken 
B. False out. 
(U) Deleting a post, or your account, removes that information from everywhere it’s stored. 
A. True 
B. False ** 
(U) You do not need to worry about phishing, malware, or other scans on Social Networking 
Sites, 
A. Ture 
B. False ** 
(U) Sharing personally identifiable information can lead to identity theft. 
A. True ** 
B. False 
(U) Social Networking Sites can collect information on you when you visit other sites while 
logged in to their site. 
A. Ture ** 
B. False 
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(U) Question #1 


(U) You must fill in all profile information when creating an account. 
A. True 
B. False ** 


(U) Profile information is always true. 
A. True 
B. False ** 
(U) Question #2 
(U) Most Social Networking Sites are “opt-in” as their default. 
A. True 
B. False ** 


(U) Once set, security and privacy settings never need to be revisited. 


A. True 
B. False ** 
(U) Question #3 
(U) It’s ok to post anything that’s UNCLASSIFIED. 
A. Ture 
B. False ** 
(U) You should not have an expectation of privacy when using a Social Networking Site. 
A. rie ** 
B. False 
(U) Deleting a post, or your account, removes that information from everywhere it’s stored. 
A. True 
B,.. False:** 
(U) Question #4 
(U) You do not need to worry about phishing, malware, or other scans on Social Networking 
Sites. 
A. Ture 
B. False ** 
(U) Sharing personally identifiable information can lead to identity theft. 
A. True ** 
B. False 
(U) Question #5 


(U) Social Networking Sites can collect information on you when you visit other sites while 
logged in to their site. 

A. Ture ** 

B. False 

















Graphics and Additional Information 


Rollover Textbox: Error! Not a valid bookmark self-reference. 
Metadata for a post can include: 
e Time 
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Location 
Method (web, mobile, app, etc.) 
IP address 


Rollover Textbox: personal information 
In addition to Personally Identifiable Information, this includes personal health information: 


Prescriptions 

Allergies 

Medical conditions 

Primary care physician mane and location 
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Graphic: Network 











(U/*Fet6}-Practiced good OPSEC and did not post any 
| details on any Social Networking Sites. 


| (U/7FBUQ) Posted about the deploymentin in 
general terms on Facebook, staying within 
OPSEC guidelines. 


| (U/*FOUQ) Posted pacific a dates and names associated 
| with the deployment on her blog. 
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Graphic: bitly count 







































































































































































































































































Graphic: Mock site 
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Rollovers 

(U) Provides your full name. 

(U) Head shot can be used to create a fake id. 

(U) Tells people you will be out of town. 

(U) Identifies your bank. 

(U) Provides your full name. 

(U) Combined with knowledge of when you’ ll be out of town, identity thieves can steal mail- 
including credit card applications. 

(U) Date of birth is often used on forms and to confirm identity. 

(U) This is often your hometown, a key piece of identity data. 

(U) People commonly have personal security questions for passwords associated with their pets. 
(U) Mother’s maiden name is a common security verification question. 

(U) The game designer may have created the game simply to get registration information. 


Graphic: failbook 


Y Angela Whoever is giving my number out to randora guys needs to. stop. 
Ey about an hour ago 


5 Caitlin Gimem likes this. 
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Graphic: posted PU 


ATTENTION EVERYONE. FACEBOGK IS. GOING TO START CHARGING & FEE FOR 
USE. THEY ARE OFFERING A ONE TIME FREE SIGNUP FOR. THOSE OVER 18. ALL 
YOU HAVE TO OO 15 POST YOUR CREDIT CARD NUMBER, COMPLETE WITH Cv¥ 
CODE AND EXPIRATION DATE, YOUR BIRTHDATE, AND SOCIAL SECURITY 
NUMBER.TO MY PROFILE BEFORE 12:01 EST. 
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